Bugtraq mailing list archives

Re: Securax Advisory 13

From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Tue, 2 Jan 2001 20:55:10 +0100

On Mon, 1 Jan 2001, incubus wrote:

when someone telnets to a unix system, the tty that will be assigned
to him will be writable for any user on the system. However, when he
is logged in, his tty will not be writable for all users. So if
someone would write data to a tty that is currently used by someone
who's logging in, that person won't be able to log in.


Completely wrong:

a) first of all, modern Linux boxes have dynamic pts allocation scheme
   (devpts or Unix '98 ptys). In this case, pts lives as long as you
   are using it, and is NOT a static object which is world-writable
   before use,

b) then, whenever this mechanism is not available, which is the case
   you are talking about, it works this way: in order to open /dev/ttypa0
   (for example), you have to open /dev/ptya0 (master + slave device
   scheme); as long as you are using pseudo-terminal (read: as long you
   own the fd), it wouldn't be allocated by anyone else (because
   /dev/ptya0 cannot be re-opened - it is exclusive access). So, as long
   as you are keeping a descriptor to the pseudo-terminal device, it
   wouldn't be reused. Period. You cannot keep the fd using background
   process, logout, log in again and have the same tty.

Please read the documentation.

[lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ttyb1
cat: /dev/ttyb1: Błąd wejścia/wyjścia

(cannot access slave without opening master)

[lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ptyb1 &
[1] 6296
[lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ptyb1
cat: /dev/ptyb1: I/O error

(can open master only once)

[lcamtuf@squirrel:6 lcamtuf]$ cat /dev/ttyb1 &
[2] 6298
[lcamtuf@squirrel:6 lcamtuf]$ kill -9 6296
[1]-  Killed                  cat /dev/ptyb1
[2]+  Done                    cat /dev/ttyb1

(you cannot keep the fd after closing the master)

 bzero(tty, sizeof(tty));
 strcat(tty, "/dev/tty4"); /* change to tty you want */


Real terminals (ttys) are having completely different mechanism and are
NOT used for remote (eg. telnet) system access. And even in this case, you
have so-called terminal hangup mechanism, which will protect you against
such attacks, btw.

 write(fd, string, sizeof(string));


...consider TIOCSTI, btw...

-- 
_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=--=> Did you know that clones never use mirrors? <=--=

Current thread:

Securax Advisory 13 incubus (Jan 02)
- Re: Securax Advisory 13 Fyodor (Jan 02)
- Re: Securax Advisory 13 Michal Zalewski (Jan 02)
- Re: Securax Advisory 13 Arturo Busleiman (Jan 03)
- <Possible follow-ups>
- Re: Securax Advisory 13 teleh0r (Jan 03)
  - Re: Securax Advisory 13 Jarno Huuskonen (Jan 03)